{
	"id": "6f689587-f675-4ace-abff-153d2e324cc1",
	"created_at": "2026-04-06T00:08:59.532233Z",
	"updated_at": "2026-04-10T03:35:20.382988Z",
	"deleted_at": null,
	"sha1_hash": "1f097e1b50bb5227f9b0ed011a710921de81288a",
	"title": "APT-C-36 recent activity analysis",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 317076,
	"plain_text": "APT-C-36 recent activity analysis\r\nPublished: 2020-01-15 · Archived: 2026-04-05 12:44:14 UTC\r\nFrom Lab52 we have been tracking during the last months the activity of the group APT-C-36. This group was\r\nnamed and publicly introduced by the Company 360 [1] last year. In this article is highlighted as the main\r\nobjective of the group, the companies located in Colombia. If you don’t know APT-C-36, we recommend the\r\narticle mentioned [1] for more information.\r\nIn July 2019 the company TrendMicro published an article related to another group [2] that also seems to be\r\nfocused on Colombia and some TTPs (Tactics, Techniques and Procedures) overlap with APT-C-36 although\r\nTrendMicro indicates that they don’t consider this group as an advanced.\r\nLab52 has had access to different very recent spear-phishings and the following summary information has been\r\nobtained from the analysis of these mails:\r\nThis is a group that, as already mentioned in the articles [1] and [2], knows well the Spanish language.\r\nThey usually use different types of url shorteners in their mailings. The case of “cort.as” shortenner has\r\ncaught our attention since it is a shortener from the Spanish newspaper “El Pais” that belongs to the “Prisa\r\nGroup” very spread in Latin America.\r\nWe have also seen links to docs.google.com, mediafire and onedrive to download the samples inside some\r\nmalspam emails.\r\nTheir most popular malware is LimeRAT, although many others have been found as indicated in the\r\nreports. VJWorm has also been seen recently with different techniques for exfiltration.\r\nIt has also been observed from some spear-phishings the exfiltration by Yopmail’s HTTPS webmail\r\nservice. This coincides with the indications of TrendMicro\r\nThe most common dynamic domains seen are:\r\na. duckdns.]org\r\nb. publicvm.]com\r\nc. linkpc.]net\r\nSince Lab52 does not have enough information to be able to say that everything analyzed is a single group, it can\r\nonly be said that these are different techniques used to attack a country.\r\nFrom this information, the infrastructure used by the attackers as command and control servers when executing\r\nthe malware has been analyzed and the following graph has been obtained:\r\nhttps://lab52.io/blog/apt-c-36-recent-activity-analysis/\r\nPage 1 of 4\n\nThree sets (clusters) of ip addresses have been identified and each one has some characteristics:\r\nCluster A has the following characteristics:\r\nAll its infrastructure is geolocated in Colombia. All the IPs correspond to Colombian ISPs’ IPs. This is\r\nperhaps one of the most outstanding aspects.\r\nDomains are reused and the ip to which it points is changed.\r\nThis cluster only uses free “duckdns.org” domains.\r\nCluster B has the following characteristics:\r\nIts infrastructure is located in Colombia, Costa Rica and Panama. The geolocated ip’s in the United States\r\ncorrespond to domains that have been “sinkholed”. By obtaining more information about the IPs, it can be\r\nseen how they are using a VPN service that allows having geolocalized IPs in Colombia, Costa Rica and\r\nPanama. The service is called “Powerhouse Management” (phmgmt[.]com). Therefore this cluster is not\r\ncompromising infrastructure of Colombian ISP clients, but is using this VPN service.\r\nThis cluster is reusing domains and changing ip addresses a lot. They have a very short duration.\r\nhttps://lab52.io/blog/apt-c-36-recent-activity-analysis/\r\nPage 2 of 4\n\nThis cluster uses as SLD linkpc.net and publicvm.com.\r\nThis cluster coincides with part of the domains registered in the report of the Chinese company 360 on\r\nAPT-C-36.\r\nCluster C has the following characteristics:\r\nAll its infrastructure is geolocated in Colombia. All the IPs correspond to Colombian ISPs’ IPs.\r\nIn this case many domains are used and few ip addresses.\r\nThis cluster uses free domains duckdns.org.\r\nAmong the domains used by these group/s we highlight the domain:\r\ncobroserfinansa[.]com: This domain has solved more than 150 different ip’s (157 exactly when this report\r\nwas made) where all of them have been located in Colombia.\r\nAnother outstanding aspect from the infrastructure point of view is that the ip’s located in Colombia correspond\r\nwith a high probability to ip’s of routers compromised by the attackers. Lab52 hypothesis is that attackers\r\ncompromise routers with default credentials and use them as a frontend for their real command and control server.\r\nThis fact has not been verified by Lab52, but has been observed as a common TTP for other groups. The routers\r\nseen, allow the use of the iptables command so automation by attackers for redirection is simple.\r\nConclusions\r\nThe attackers know well the language of the attacked country, Spanish, so it could be considered Spanish-speaking countries as the main options of attacking countries. This aspect has already been indicated in the\r\nother reports. From Lab52 we would reinforce this hypothesis by the use of a shortener “cort.as”.\r\nThe emails are well written and are almost always related to financial matters, specifically related to debt.\r\nCurrently, the attackers are not using malware developed by themselves and are using public malware\r\nprojects such as LimeRAT.\r\nAttackers are using high ports to communicate with command and control servers.\r\nAttackers are probably using multi-level command and control architectures to hide the main command\r\nand control server. As a first level, they have used until the moment:\r\nVPN services where Colombia, Panama and Costa Rica exist as an outgoing ip\r\nRouters from ISP clients with default credentials or vulnerabilities. All these ISPs belong to\r\nColombia.\r\nAttackers use shorteners for links in emails. It is advisable to watch out for shortcuts belonging to the\r\nnewspaper “El Pais”.\r\nAnother option to the shorteners are links to file hosting services (google, mediafire, dropbox, etc.)\r\n[1] https://ti.360.net/blog/articles/apt-c-36-continuous-attacks-targeting-colombian-government-institutions-and-corporations-en/\r\n[2] http://blog.la.trendmicro.com/proyecto-rat-una-campana-de-spam-dirigida-a-entidades-colombianas-a-traves-del-servicio-de-correo-electronico-yopmail/\r\nhttps://lab52.io/blog/apt-c-36-recent-activity-analysis/\r\nPage 3 of 4\n\nReader Interactions\r\nSource: https://lab52.io/blog/apt-c-36-recent-activity-analysis/\r\nhttps://lab52.io/blog/apt-c-36-recent-activity-analysis/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"references": [
		"https://lab52.io/blog/apt-c-36-recent-activity-analysis/"
	],
	"report_names": [
		"apt-c-36-recent-activity-analysis"
	],
	"threat_actors": [
		{
			"id": "98b22fd7-bf1b-41a6-b51c-0e33a0ffd813",
			"created_at": "2022-10-25T15:50:23.688973Z",
			"updated_at": "2026-04-10T02:00:05.390055Z",
			"deleted_at": null,
			"main_name": "APT-C-36",
			"aliases": [
				"APT-C-36",
				"Blind Eagle"
			],
			"source_name": "MITRE:APT-C-36",
			"tools": [
				"Imminent Monitor"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "be597b07-0cde-47bc-80c3-790a8df34af4",
			"created_at": "2022-10-25T16:07:23.407484Z",
			"updated_at": "2026-04-10T02:00:04.58656Z",
			"deleted_at": null,
			"main_name": "Blind Eagle",
			"aliases": [
				"APT-C-36",
				"APT-Q-98",
				"AguilaCiega",
				"G0099"
			],
			"source_name": "ETDA:Blind Eagle",
			"tools": [
				"AsyncRAT",
				"BitRAT",
				"Bladabindi",
				"BlotchyQuasar",
				"Imminent Monitor",
				"Imminent Monitor RAT",
				"Jorik",
				"LimeRAT",
				"Remcos",
				"RemcosRAT",
				"Remvio",
				"Socmer",
				"Warzone",
				"Warzone RAT",
				"njRAT"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "bd43391b-b835-4cb3-839a-d830aa1a3410",
			"created_at": "2023-01-06T13:46:38.925525Z",
			"updated_at": "2026-04-10T02:00:03.147197Z",
			"deleted_at": null,
			"main_name": "APT-C-36",
			"aliases": [
				"Blind Eagle"
			],
			"source_name": "MISPGALAXY:APT-C-36",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434139,
	"ts_updated_at": 1775792120,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/1f097e1b50bb5227f9b0ed011a710921de81288a.pdf",
		"text": "https://archive.orkl.eu/1f097e1b50bb5227f9b0ed011a710921de81288a.txt",
		"img": "https://archive.orkl.eu/1f097e1b50bb5227f9b0ed011a710921de81288a.jpg"
	}
}